VPN with One or More LSM Profiles

You can configure a VPN star community between two SmartLSM Profiles. The procedures below show a SmartLSM Gateway Profile and SmartLSM Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Profile. You can also configure the community with two SmartLSM Cluster Profiles or two SmartLSM Gateway Profiles. All included SmartLSM Gateways and Cluster Profiles must have the IPsec VPN Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. blade enabled.

The configuration steps are:

Configuration in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

In SmartConsole, create network objects that represent the VPN community members and their networks. You must create a star community with To center and to other satellites through center as the selected option for VPN Routing in the Star Community Properties.

Procedure

Create and configure a SmartLSM Cluster Profile.

When you configure the topology, make sure that the interface name exactly matches the name of the physical interface.
Create and configure a SmartLSM Gateway Profile.

Create a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object to be the Center Gateway.

Note - Small Office Appliance cannot be the Center Gateway.

Create a new VPN Community:
1. From the left navigation panel, click Security Policies.
2. In the top section, click Access Control.
3. In the bottom section Access Tools, click VPN Communities.
4. Click the New icon and select Star Community.
5. Enter a name for the VPN Community.
6. In the Center Gateways area, click the plus icon to add one or more Security Gateways to be in the center of the VPN community.
  
  Select Mesh center gateways if you want the central Security Gateways to communicate.
7. In the Satellite Gateways area, click the plus icon select the SmartLSM Cluster Profile and SmartLSM Gateway Profile (or second cluster).
8. In VPN Routing, select To center and to other satellites through center.
9. Click OK.
Create a Network object that represents the internal network of each satellite in the VPN community.
1. From the Objects bar, select New > Network Object > Network.
2. In the Network Address field, enter the IP address that represents the internal IP address of the satellite. If the satellite is a cluster, enter the internal Virtual IP.
Create a Host object that represents the external IP address of each satellite in the VPN community.
1. From the Objects bar, select right-click New > Network Object > Gateways and Servers > Check Point Host.
2. In the IP Address field, enter the IP address that represents the external IP address of the satellite. If the satellite is a cluster, enter the external Virtual IP.
Create a Group object that represents the networks for each satellite object:
1. From the Objects bar, select New > Network Object > Group > New Network Group.
2. Enter a Name for the group that is unique for one satellite.
3. Click Add and select the Network object that you created for that satellite's internal network.
4. Click Add and select the Host object that you created for that satellite's external IP address.
Create a Group object that represents the Center Gateway.
1. From the Objects bar, select New > Network Object > Group > New Network Group.
2. Enter a Name for the group that is unique for the Center Gateway.
3. Click Add, and select the Gateway object.

Configuration in Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. CLI.

Procedure

Edit the routing table of the Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. or Security Management Server to enable two SmartLSM Gateways or Cluster Profiles to communicate with each other through the Center Gateway. Do this in the vpn_route.conf file in the CLI.

Edit the vpn_route.conf file in Vi editor.
- In a Multi-Domain Security Management environment
  
  Edit the file in the context of a Domain Management Server.
  - If satellites are Small Office Appliance Gateways or Clusters, edit this file:
    
    /var/opt/CPmds-R81/customers/<Name of Domain Management Server>/CPSG80CMP-R81/conf/vpn_route.conf
  - If satellites are on a different appliance or open server, edit this file:
    
    /opt/CPmds-R81/customers/<Name of Domain Management Server>/CPsuite-R81/fw1/conf/vpn_route.conf
- In a Security Management Server environment
  - If satellites are Small Office Appliance Gateways or Clusters, edit this file:
    
    /opt/CPSG80CMP-R81/conf/vpn_route.conf
  - If satellites are on a different appliance or open server, edit this file:
    
    /opt/CPsuite-R81/fw1/conf/vpn_route.conf

Add the required configuration:

If two SmartLSM Gateways on different LSM Gateway profiles communicate with each other through the Center gateway, configure:

# destination	router	[install on]
<Name of the Network Group object that contains internal network of SmartLSM Gateway>	<Name of Center Gateway object>	<Name of second LSM Profile>
<Name of the Network Group object that contains internal network of second SmartLSM Gateway>	<Name of Center Gateway object>	<Name of LSM Profile>

If more than one SmartLSM Gateway in the same LSM Profile communicate with each other through the Center gateway, configure:

# destination	router	[install on]
<Name of the Network Group object that contains internal network of SmartLSM Gateway>	<Name of Center Gateway object>	<Name of LSM Profile>

Save the changes in the file and exit the editor.
In SmartConsole, install policy on the SmartLSM Profiles and on the Center Gateway.

Completing the configuration in the SmartProvisioning Check Point Software Blade on a Management Server (the actual name is "Provisioning") that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: Large-Scale Management, SmartLSM, LSM. GUI and in the Center Gateway CLI.

Procedure

From SmartConsole, open the SmartProvisioning GUI.
Create a new SmartLSM Gateway or Cluster based on the type of device you have.

Generate a VPN certificate for each Gateway or Cluster Member Security Gateway that is part of a cluster.:

Open the Gateway or Cluster object > VPN tab.
Select Use Certificate Authority Certificate.
Click Generate.
Do these steps again for each Cluster Member.

Note - If the topology information, including date and time, changes after you generate the certificate, you must generate a new certificate in the VPN tab and update the Gateway (Actions > Update Gateway.

In the CLI of the Center Gateway, run:

LSMenabler on
In the SmartProvisioning GUI, right-click the Center Gateway and select Actions > Update Selected Corporate Office Gateway.
In the Topology tab of each object, make sure that the topology of the provisioned objects is correct for each device:
- Make sure that the interfaces have the same IP addresses as the actual gateways.
- Make sure that the external and internal interfaces are recognized and configured correctly as "External" and "Internal".
- If the interfaces show without IP addresses, click: Get Actual Settings.
In the Topology tab, configure the VPN domain:
- For a SmartLSM Gateways Profile, select one of the options.
- For a SmartLSM Cluster Profile, select Manually defined and manually add the encryption domains that you want to include.
Click Push Policy.

Note - All traffic between the satellites and Center Gateway is encrypted.